https://bugzilla.redhat.com/show_bug.cgi?id=1058839

Commit f9f56340 for CVE-2014-0028 almost had the right idea - we
need to check the ACL rules to filter which events to send.  But
it overlooked one thing: the event dispatch queue is running in
the main loop thread, and therefore does not normally have a
current virIdentityPtr.  But filter checks can be based on current
identity, so when libvirtd.conf contains access_drivers=["polkit"],
we ended up rejecting access for EVERY event due to failure to
look up the current identity, even if it should have been allowed.

Furthermore, even for events that are triggered by API calls, it
is important to remember that the point of events is that they can
be copied across multiple connections, which may have separate
identities and permissions.  So even if events were dispatched
from a context where we have an identity, we must change to the
correct identity of the connection that will be receiving the
event, rather than basing a decision on the context that triggered
the event, when deciding whether to filter an event to a
particular connection.

If there were an easy way to get from virConnectPtr to the
appropriate virIdentityPtr, then object_event.c could adjust the
identity prior to checking whether to dispatch an event.  But
setting up that back-reference is a bit invasive.  Instead, it
is easier to delay the filtering check until lower down the
stack, at the point where we have direct access to the RPC
client object that owns an identity.  As such, this patch ends
up reverting a large portion of the framework of commit f9f56340.
We also have to teach 'make check' to special-case the fact that
the event registration filtering is done at the point of dispatch,
rather than the point of registration.  Note that even though we
don't actually use virConnectDomainEventRegisterCheckACL (because
the RegisterAny variant is sufficient), we still generate the
function for the purposes of documenting that the filtering
takes place.

Also note that I did not entirely delete the notion of a filter
from object_event.c; I still plan on using that for my upcoming
patch series for qemu monitor events in libvirt-qemu.so.  In
other words, while this patch changes ACL filtering to live in
remote.c and therefore we have no current client of the filtering
in object_event.c, the notion of filtering in object_event.c is
still useful down the road.

* src/check-aclrules.pl: Exempt event registration from having to
pass checkACL filter down call stack.
* daemon/remote.c (remoteRelayDomainEventCheckACL)
(remoteRelayNetworkEventCheckACL): New functions.
(remoteRelay*Event*): Use new functions.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Drop unused parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/domain_event.c (virDomainEventFilter): Delete unused
function.
* src/conf/network_event.c (virNetworkEventFilter): Likewise.
* src/libxl/libxl_driver.c: Adjust caller.
* src/lxc/lxc_driver.c: Likewise.
* src/network/bridge_driver.c: Likewise.
* src/qemu/qemu_driver.c: Likewise.
* src/remote/remote_driver.c: Likewise.
* src/test/test_driver.c: Likewise.
* src/uml/uml_driver.c: Likewise.
* src/vbox/vbox_tmpl.c: Likewise.
* src/xen/xen_driver.c: Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

Bugs have been found in the VirtualBox API C bindings. These bugs have
been fixed in versions 4.2.20 and 4.3.4. However, the changes in the
C bindings are incompatible with the vbox_CAPI_v4_2.h and vbox_CAPI_v4_3.h
files which are bundled in libvirt source code.
This is why the following patch adds vbox_CAPI_v4_2_20.h and
vbox_CAPI_v4_3_4.h.

The actual underlying problem here is that until now,
libvirt assumed that VirtualBox API can only change between minor
versions (4.2 -> 4.3), but we have a case here where it changed
(or got fixed) between patch versions (4.2.18 -> 4.2.20).

This patch makes the VBOX_API_VERSION represent the full API
version number (i.e 4002 => 4002000) so there are specific version
numbers for Vbox 4.2.20 (4002020) and 4.3.4 (4003004)

Ever since ACL filtering was added in commit 76397360 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends.  We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.

Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in a93cd08f (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration.  But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access.  The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global.  Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.

Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.

* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

Ever since their introduction (commit 1509b802 in v0.5.0 for
virConnectDomainEventRegister, commit 44457238 in v0.8.0 for
virConnectDomainEventDeregisterAny), the event deregistration
functions have been documented as returning 0 on success;
likewise for older registration (only the newer RegisterAny
must return a non-zero callbackID).  And now that we are
adding virConnectNetworkEventDeregisterAny for v1.2.1, it
should have the same semantics.

Fortunately, all of the stateful drivers have been obeying
the docs and returning 0, thanks to the way the remote_driver
tracks things (in fact, the RPC wire protocol is unable to
send a return value for DomainEventRegisterAny, at least not
without adding a new RPC number).  Well, except for vbox,
which was always failing deregistration, due to failure to
set the return value to anything besides its initial -1.

But for local drivers, such as test:///default, we've been
returning non-zero numbers; worse, the non-zero numbers have
differed over time.  For example, in Fedora 12 (libvirt 0.8.2),
calling Register twice would return 0 and 1 [the callbackID
generated under the hood]; while in Fedora 20 (libvirt 1.1.3),
it returns 1 and 2 [the number of callbacks registered for
that event type].  Since we have changed the behavior over
time, and since it differs by local vs. remote, we can safely
argue that no one could have been reasonably relying on any
particular behavior, so we might as well obey the docs, as well
as prepare callers that might deal with older clients to not be
surprised if the docs are not strictly followed.

For consistency, this patch fixes the code for all drivers,
even though it only makes an impact for vbox and for local
drivers.  By fixing all drivers, future copy and paste from
a remote driver to a local driver is less likely to
reintroduce the bug.

Finally, update the testsuite to gain some coverage of the
issue for local drivers, including the first test of old-style
domain event registration via function pointer instead of
event id.

* src/libvirt.c (virConnectDomainEventRegister)
(virConnectDomainEventDeregister)
(virConnectDomainEventDeregisterAny): Clarify docs.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventDeregister)
(libxlConnectDomainEventDeregisterAny): Match documentation.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventDeregister)
(lxcConnectDomainEventDeregisterAny): Likewise.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventDeregister)
(testConnectDomainEventDeregisterAny)
(testConnectNetworkEventDeregisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventDeregister)
(umlConnectDomainEventDeregisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxConnectDomainEventRegister)
(vboxConnectDomainEventDeregister)
(vboxConnectDomainEventDeregisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventDeregister)
(xenUnifiedConnectDomainEventDeregisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventDeregisterAny): Likewise.
* tests/objecteventtest.c (testDomainCreateXMLOld): New test.
(mymain): Run it.
(testDomainCreateXML): Check return values.
Signed-off-by: NEric Blake <eblake@redhat.com>

The virDomainEvent class is kept as it indicates what meta informations
are valid for the children classes. This may be useful in the future.

This aims at providing some consistency with other domain events

Leave virDomainEventRegister and its Deregister brother as these are
legacy functions only for domain lifecycle events.

The original code ignored errors of virDomainHostdevDefAlloc,
however, we should properly do error return from the function
if it occurs.

The fix pulls out virDomainHostdevDefAlloc from the loop and
executes it all together before the loop. So we can easily
return on errors without the notion of other memory allocations
in the loop.

The deallocation code is separated from the allocation code
because it will be used by a further patch for fixing other error
handlings.
Reported-by: NLaine Stump <laine@laine.org>
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

The fixed loop used logical OR to combine two conditions, however,
it is apparently incorrect and logical AND is correct.

We can fix it by replacing OR with AND, but this patch instead
fixes the problem by getting rid of the first conditional
statement: USBFilterCount < def->nhostdevs. It isn't needed
because USBFilterCount will never be greater than or equal to
def->nhostdevs.

def->nhostdevs is calculated in the following code
above the loop in question like this:

    for (i = 0; i < deviceFilters.count; i++) {
        PRBool active = PR_FALSE;
        IUSBDeviceFilter *deviceFilter = deviceFilters.items[i];

        deviceFilter->vtbl->GetActive(deviceFilter, &active);
        if (active) {
            def->nhostdevs++;
        }
    }

And the loop is constructed as like this:

    for (i = 0; (USBFilterCount < def->nhostdevs) || (i < deviceFilters.count); i++) {
        PRBool active                  = PR_FALSE;
(snip)
        deviceFilter->vtbl->GetActive(deviceFilter, &active);
        if (!active)
            continue;
(snip)
        USBFilterCount++;
    }

So def->nhostdevs is the number of active device filters and
USBFilterCount is counted up only when a device filter is active.
Thus, we can remove USBFilterCount < def->nhostdevs safely.
Reported-by: NLaine Stump <laine@laine.org>
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

Makefile.am, vbox_V4_3.c and vbox_driver.c do regular
modifitions to support a new version of APIs.

vbox_tmpl.c basically fixes incompatibilities since 4.2.

The affected incompatibilities of 4.3 are:
* IMachine::Delete() has been renamed to IMachine::deleteConfig()
* IMedium::CreateBaseStorage() now accepts multiple variant values
* IDisplay::GetScreenResolution() now returns the display position
  in the guest
* IMachine now has multiple IUSBControllers and IUSBDeviceFilters
  handles USB device filters instead of (obsolete) IUSBController

This patch is tested on Mac OS X 10.8.5 and Fedora 19.
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

vbox_CAPI_v4_3.h is almost same as
sdk/bindings/xpcom/include/VBoxCAPI_v4_3.h of
http://download.virtualbox.org/virtualbox/4.3.2/VirtualBoxSDK-4.3.2-90405.zip,
but modified to fix preprocessor indentations by using cppi.
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

The USB-related code in vboxDomainGetXMLDesc is deeply nested and
difficult to add new code. So flatten it. To do so, the code is
pulled out from vboxDomainGetXMLDesc to make the function short
and to leaverage early return and goto for error handling.
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

This cleanup flattens deeply nested code.
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

Most of our code base uses space after comma but not before;
fix the remaining uses before adding a syntax check.

* src/vbox/vbox_tmpl.c: Consistently use commas.
Signed-off-by: NEric Blake <eblake@redhat.com>

A USB filter is stored in a hostdev. The original code doesn't
allocate hostdev->info that is expected to be allocated with hostdev.
So use virDomainHostdevDefAlloc() to allocate both as we expect.
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

Currently we were storing domain feature flags in a bit field as the
they were either enabled or disabled. New features such as paravirtual
spinlocks however can be tri-state as the default option may depend on
hypervisor version.

To allow storing tri-state feature state in the same place instead of
having to declare dedicated variables for each feature this patch
refactors the bit field to an array.

Most of the usage of getuid()/getgid() is in cases where we are
considering what privileges we have. As such the code should be
using the effective IDs, not real IDs.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Unconditional use of getenv is not secure in setuid env.
While not all libvirt code runs in a setuid env (since
much of it only exists inside libvirtd) this is not always
clear to developers. So make all the code paranoid, even
if it only ever runs inside libvirtd.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

VirtualBox has 'saved' state for VMs saved by the hypervisor.
However, the state is treated as VIR_DOMAIN_NOSTATE by the vbox
driver, resulting that virsh shows 'no state' for saved VMs.

The fix treats the state as VIR_DOMAIN_SHUTOFF as same as
other domains such as qemu.
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

The code for converting between virtualbox API states
and libvirt states was duplicated in two places. Pull
the code out into a shared helper method.
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

A few things have changed in the VirtualBox API - some small
(capitalizations of things in function names like Ip to IP
and Dhcp to DHCP) and some much larger (FindMedium is superceded
by OpenMedium). The biggest change for the sake of this patch
is the signature of CreateMachine is quite a bit different. Using
the Oracle source as a guide, to spin up a VM with a given UUID,
it looks like a text flag has to be passed in a new argument to
CreateMachine. This flag is built in the VirtualBox 4.2 specific
ifdefs and is kind of ugly but works. Additionally, there is now
(unused) VM groups support in CreateMachine and the previous
'osTypeId' arg is currently set to nsnull as in the Oracle code.

The FindMedium to OpenMedium changes were more straightforward
and are pretty clear. The rest of the vbox template changes are
basically spelling/capitalization changes from the looks of things.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Similar to what Eric did for Cygwin it helps at least to compile
without --without-vbox

I noticed several unusual spacings in for loops, and decided to
fix them up.  See the next commit for the syntax check that found
all of these.

* examples/domsuspend/suspend.c (main): Fix spacing.
* python/libvirt-override.c: Likewise.
* src/conf/interface_conf.c: Likewise.
* src/security/virt-aa-helper.c: Likewise.
* src/util/virconf.c: Likewise.
* src/util/virhook.c: Likewise.
* src/util/virlog.c: Likewise.
* src/util/virsocketaddr.c: Likewise.
* src/util/virsysinfo.c: Likewise.
* src/util/viruuid.c: Likewise.
* src/vbox/vbox_tmpl.c: Likewise.
* src/xen/xen_hypervisor.c: Likewise.
* tools/virsh-domain-monitor.c (vshDomainStateToString): Drop
default case, to let compiler check us.
* tools/virsh-domain.c (vshDomainVcpuStateToString): Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

In my review of 31532cab I missed the fact that VIR_STRDUP
now returns 1 on success, and 0 if the source was NULL.

(This still doesn't add proper OOM error handling.)

Now that COPYING no longer contains the text of the LGPL,
modify the LGPLv2-only files from vbox to call out the
correct file.

* src/vbox/vbox_CAPI_v2_2.h: Refer to correct file.
* src/vbox/vbox_CAPI_v3_0.h: Likewise.
* src/vbox/vbox_CAPI_v3_1.h: Likewise.
* src/vbox/vbox_CAPI_v3_2.h: Likewise.
* src/vbox/vbox_CAPI_v4_0.h: Likewise.
* src/vbox/vbox_CAPI_v4_1.h: Likewise.
* src/vbox/vbox_V2_2.c: Likewise.
* src/vbox/vbox_V3_0.c: Likewise.
* src/vbox/vbox_V3_1.c: Likewise.
* src/vbox/vbox_XPCOMCGlue.c: Likewise.
* src/vbox/vbox_XPCOMCGlue.h: Likewise.
* src/vbox/vbox_driver.c: Likewise.
* src/vbox/vbox_driver.h: Likewise.
* src/vbox/vbox_tmpl.c: Likewise.
* src/vbox/vbox_V3_2.c: Copy license notice from vbox_V3_1.c.
* src/vbox/vbox_V4_0.c: Likewise.
* src/vbox/vbox_V4_1.c: Likewise.
* src/vbox/README: Mention copyright issues; this particular
file contains no code and therefore does not need LGPL.
Signed-off-by: NEric Blake <eblake@redhat.com>

These all existed before virfile.c was created, and for some reason
weren't moved.

This is mostly straightfoward, although the syntax rule prohibiting
write() had to be changed to have an exception for virfile.c instead
of virutil.c.

This movement pointed out that there is a function called
virBuildPath(), and another almost identical function called
virFileBuildPath(). They really should be a single function, which
I'll take care of as soon as I figure out what the arglist should look
like.

The individual hypervisor drivers were directly referencing
APIs in src/nodeinfo.c in their virDriverPtr struct. Separate
these methods, so there is always a wrapper in the hypervisor
driver. This allows the unused virConnectPtr args to be
removed from the nodeinfo.c file. Again this will ensure that
ACL checks will only be performed on invocations that are
directly associated with public API usage.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Currently the virGetHostname() API has a bogus virConnectPtr
parameter. This is because virtualization drivers directly
reference this API in their virDriverPtr tables, tieing its
API design to the public virConnectGetHostname API design.

This also causes problems for access control checks since
these must only be done for invocations from the public
API, not internal invocation.

Remove the bogus virConnectPtr parameter, and make each
hypervisor driver provide a dedicated function for the
driver API impl. This will allow access control checks
to be easily inserted later.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

More fallout from commit 7c9a2d88 dropping too many headers.  Fixes:

In file included from ../../src/vbox/vbox_glue.c:26:0:
../../src/vbox/vbox_MSCOMGlue.c: In function 'vboxLookupVersionInRegistry':
../../src/vbox/vbox_MSCOMGlue.c:435:5: error: implicit declaration of function 'virParseVersionString' [-Werror=implicit-function-declaration]
...
../../src/vbox/vbox_driver.c: In function 'vboxConnectOpen':
../../src/vbox/vbox_driver.c:147:5: error: implicit declaration of function 'getuid' [-Werror=implicit-function-declaration]
../../src/vbox/vbox_driver.c:147:5: error: nested extern declaration of 'getuid' [-Werror=nested-externs]

* src/vbox/vbox_MSCOMGlue.c (includes): Add missing includes.
* src/vbox/vbox_driver.c (includes): Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

The source code base needs to be adapted as well. Some files
include virutil.h just for the string related functions (here,
the include is substituted to match the new file), some include
virutil.h without any need (here, the include is removed), and
some require both.

Ensure that all drivers implementing public APIs use a
naming convention for their implementation that matches
the public API name.

eg for the public API   virDomainCreate make sure QEMU
uses qemuDomainCreate and not qemuDomainStart
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

It will simplify later work if the sub-drivers have dedicated
APIs / field names. ie virNetworkDriver should have
virDrvNetworkOpen and virDrvNetworkClose methods
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Ensure that the driver struct field names match the public
API names. For an API virXXXX we must have a driver struct
field xXXXX. ie strip the leading 'vir' and lowercase any
leading uppercase letters.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

This patch refactors various places to allow removing of the
defaultConsoleTargetType callback from the virCaps structure.

A new console character device target type is introduced -
VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_NONE - to mark that no type was
specified in the XML. This type is at the end converted to the standard
VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL. Other types that are
different from this default have to be processed separately in the
device post parse callback.